Title: Grid Authentication and Authorization with Reliably Distributed Services GAARDS
1Grid Authentication and Authorization with
Reliably Distributed Services (GAARDS)
Open Grid Forum 19 January 31, 2007 Chapel Hill,
NC Stephen Langella Ohio State
University langella_at_bmi.osu.edu
2Agenda
- caBIG
- caGrid
- caGrid Security Overview (GAARDS)
- Dorian
- Authentication Service
- Grid Trust Service (GTS)
- Grid Grouper
- Authz / Common Security Module (CSM)
- Additional Information
3National Cancer Institute 2015 Goal
Relieve suffering and death due to cancer by the
year 2015
4Cancer Biomedical Informatics Grid (caBIGTM)
- Need Enable investigators and research teams
nationwide to combine and leverage their findings
and expertise in order to meet NCI 2015 Goal. - Strategy Create scalable, actively managed
organization that will connect members of the
NCI-supported cancer enterprise by building a
biomedical informatics network - National Cancer Institute Initiative
- Over 800 Participants
- Over 80 Organizations
- Over 70 Projects
5caBIG Community Organization
6caGrid
- Grid Infrastructure for caBIG
- Enterprise Level Grid Components
- caGrid Components
- Grid Service Graphical Development Toolkit
(Introduce) - Metadata
- Advertisement and Discovery
- Semantic Services
- Data Service Infrastructure
- Analytical Service Infrastructure
- Identifiers
- Workflow
- Security
7GAARDS Overview
- Grid Authentication and Authorization with
Reliably Distributed Services (GAARDS) - GAARDS provides services and tools for the
administration and enforcement of security policy
in an enterprise Grid. - Developed on top of the Globus Toolkit
- Extends the Grid Security Infrastructure (GSI)
- Provide enterprise services and administrative
tools for - Grid User Management
- Identity Federation
- Trust management
- Group/VO management
- Access Control Policy management and enforcement
- Integration between existing security domains and
the grid security domain.
8GAARDS Components
- Dorian
- Grid User Account Management
- Integration point between external security
domains and the grid. - Allows accounts managed in external domains to be
federated and managed in the grid. - Dorian allows users to use their existing
credentials (external to the grid) to
authenticate to the grid - Grid Trust Service (GTS)
- Creation and Management of a federated trust
fabric. - Supports applications and services in deciding
whether or not signers of digital
credentials/user attributes can be trusted. - Supports the provisioning of trusted certificate
authorities and corresponding CRLS. - Grid Grouper
- Group management service for the grid
- Provides a group-based authorization solution for
the Grid - Enforce authorization policy based on membership
to groups
9GAARDS Components
- Authentication Service
- Integrates existing credentials providers into
the grid. - Provides a uniform grid interface for
authenticating to existing credential providers. - Applications can communicate with any credential
provider. - Authz/Common Security Module (CSM)
- Provides a centralize approach to managing and
enforcing access control policy authorization. - Security Metadata
- Ensures communication interoperability between
grid services
10GAARDS in Action
11GAARDS in Action
User authenticates to local credential provider
using your everyday user credentials
Authenticate with Local Credential Provider
SAML Assertion
12GAARDS in Action
Application obtains grid credentials from Dorian
using SAML provided by the local provider.
SAML Assertion
Grid Credentials
13GAARDS in Action
Application uses grid credentials to invoke
secure grid services.
Grid Credentials
14GAARDS in Action
Should I trust the credential signer?
Grid Service authenticates the user by asking the
GTS whether or not the signer of the credential
should be trusted.
15GAARDS in Action
Authorization Grid Service asks CSM or their
access control policy enforcer whether or not the
user can perform X and resource Y.
Is Authorized?
16GAARDS in Action
Is member of?
Authorization Alternative Grid Service can
enforce local policy based on user membership to
groups maintained in Grid Grouper.
17Dorian
18Grid Account Management is Difficult
- User required to manage long term certificate
and private key. - How are they obtained?
- Traditionally user generate a key pair and
certificate request locally, then contact (email)
a CA administrator to get a signed certificate. - Mobility Issues
- User generally work on more that one computer
- Certificate and private key need to be available
to users on each machine. - Traditionally users need to copy around
certificate and private key. - Hassle for the users, some of which dont have
the expertise to accomplish - Security Concerns.
- Difficult to administrate
- Few tools for administrate provisioning of user
accounts. - Difficult to revoke accounts
- Limited information available to administrators
for making decisions - Why cant they leverage their existing accounts
to access the grid?
19Dorian
- Grid User Account Management
- Administrative interface for account provisioning
and management. - Built in Certificate Authority
- Manages Grid Credentials for each user.
- Enables users to authenticate and create grid
proxies, which they may use to access the grid. - Identity Management and Federation
- Integration point between external security
domains and the grid. - User may use existing credentials to obtain a
grid proxy. - Users authenticate to IdP, obtain a SAML
assertion (proof) which is then given to Dorian
to facilitate the creation of a grid proxy. - Automated Account Creation and Provisioning
- Built in Identity Provider
- Comprehensive Administrative UI
20Dorian
- Proxy Creation
- Users authenticate to IdP.
- Obtain a SAML assertion (proof) from IdP.
- Send SAML Assertion to Dorian in exchange for a
grid proxy. - Proxy Creation (Detailed)
- User Authenticates to Local IdP
- Local IdP Issues Signed SAML Assertion to user.
- User Authenticates to Dorian with SAML Assertion
- Dorian verifies the signature of the SAML
Assertion. - Signing IdP must be registered with Dorian is a
trusted provider - Dorian locates users grid account or creates one
if does not exist. - Dorian ensures users has rights to create a
proxy - Client and Dorian negotiate to create a proxy.
21Dorian Proxy Creation
- Proxy Creation Workflow
- Client authenticates with Local IdP
- Client creates public/private key pair to use for
grid proxy. - Client requests Dorian to create a grid proxy.
- Dorian verifies that the SAML assertion provided
by the user is signed by a Trusted IdP and that
the user has a valid account. - Dorian locates the users grid credentials,
private key and certificate - Dorian uses the public key provided to create a
proxy certificate and signs it with the users
private key - Dorian returns the proxy certificate to the user.
- The user may now use the proxy to authenticate to
grid services
SAML Assertion
SAML Assertion
Username / Password
SAML Assertion
Signed
22Grid User Account Creation
- A grid account is created the first time a user
accesses Dorian with a SAML Assertion signed by a
registered Trusted Identity Provider - Each grid account has a status associated with
it. - Active, Pending, Suspended, Expired
- Only users with an Active Status will be given
access to the grid. - The initial status of a user account upon
creation depends on the user policy configured
with their IdP. - A User Policy is applied to a users account
every time they request that a proxy is created. - User Policies enable the administration of Dorian
to be as hands on/off as the administrators wish.
23Grid User Accounts
- Grid User Account Managed through Grid Service
Interface using Admin UI - Grid User Account
- IdP Local User Id
- Uniquely Identifies a user within the context of
an IdP - First Name
- Last Name
- Email
- Users role with respect to Dorian
- User Account Status
- Grid Credentials
- Private Key
- Long term Certificate
- Grid Identity
- Dorian CA Metadata
- Trusted IdP Id
- Local User Id
/OOSU/OUBMI/OUcaGrid/OUDorian/OUlocalhost/OU
IdP 1/CNjdoe
Local User Id
Dorian CA Metadata
IdP Id
24Managing Trusted Identity Providers
- Trusted Identity Provider An Identity Provider
in which Dorian is configured to trust and manage
grid user accounts. - Id - Dorian assigned Identifier for the IdP.
- Name Human Readable Name for easy
identification - Status Active / Suspended
- User Policy Executed when users authenticate,
dictates a policy to apply to a users account - Authentication Method
- IdP Certificate - Certificate whose corresponding
private key will be used in signing SAML
assertions.
25Dorian Identity Provider
- Dorian Identity Provider (Dorian IdP)- Enables
developers, smaller groups, research labs,
unaffiliated users, and other groups without an
IdP to use Dorian as their IdP, such that they
may leverage Dorian for creating grid
credentials. - Registration- Provides a registration mechanism
through the grid service interface. - Authentication- Username/Password Authentication
over grid service interface, successful
authentication returns a SAML assertion which can
later be consume by Dorian in exchange for a grid
proxy. - Account Management Provides administrative
operations for managing Dorian IdP accounts.
26Dorian IdP Registration / Authentication
- Potential Users obtain and account on the Dorian
IdP by registering. - Grid Service Interface provides a mechanism for
registering with the Dorian IdP account. - Dorian GUI provides graphical interface for
registering with the Dorian IdP - Account creation depends on how the Dorian IdP is
configured - Auto Creation
- Manual Creation
- Once Approved, registered users can authenticate
(username, password) to the Dorian IdP to obtain
a SAML Assertion which can then be used to create
a proxy.
27Dorian IdP User Management
- Dorian IdP User Management
- Manage User Account Information
- Manage Account Status
- Grant IdP Admin Rights
- Account Management done through grid service
interface, only users with admin rights may
manage accounts. - Full Account Management Support through the
Dorian GUI.
28Authentication Service
29Authentication Service
- The role of the AuthenticationService is to
provide a uniform grid interface for
authenticating to existing credential providers. - Leveraged as a Integration point between local
identity management and Grid identify federation.
- To achieve this goal, we define a framework as a
set of interfaces that can be implemented by a
credential provider - caGrid provides an default implementation that
exposes the Common Security Module (CSM) as an
IdP.
Supported Credential Providers
Dorian
Authentication Service
Local Identity management
30Authentication Service - Design
Authentication Service
Credential Providers can be integrated by
implementing this interface
Authentication Provider Framework
AuthenticationProvider
Created Using Introduce Toolkit
SubjectProvider
SAMLProvider